ISA99 Part 4
From SCADApedia
Contents |
Part 4: Technical Requirements for Industrial Automation and Control Systems
Part 4 is where the actual must and shall statements for technical security controls reside in the ISA99 standard. One of the goals of Part 4 is to develop a standard that supports compliance testing of devices and systems.
Security Levels
The ISA99 Committee has attempted to follow the Safety Integrity Level (SIL) approach and identify and define Security Assurance Levels (SAL's). A set of Foundational and Derived Requirements will define four different SAL's. SAL-1 is the least secure, but it does still have a minimal set of security requirements. SAL-4 is the highest security level.
From a system perspective, a security zone will have a SAL and conduits between zones will have security requirements.
Foundational Requirements
Part 1 of the ISA99 standard identified and defined seven Foundational Requirements: Access Control, Use Control, Data Integrity, Data Confidentiality, Restrict Data Flow, Timely Response To Events, and Network Resource Availability. In Part 4, Clause 7 a list of specific Foundational Sub-Requirements related to each Foundational Requirements.
The format of the Sub-Requirements are very similar to the NIST SP800-53 format and in fact there is a cross reference for each Sub-Requirement to the SP800-53 requirements. Each Sub-Requirement may have one or more enhancement clauses that increases the rigor of Sub-Requirement.
Each Sub-Requirement then has a section on the applicability of the Sub-Requirement and enhancements to each SAL. For example, FR2.1 is Foundational Requirement = Use Control, Sub-Requirement = Wireless Access Restrictions applies to all four SAL's. Enhancement 1 applies to SAL's 2, 3 and 4. Enhancement 2 applies to SAL 3 and 4.
Derived Requirements
Part 4 has created the term "derived requirements" that are specific must and shall statements derived from the Foundational Requirements.
Use by ICSI
The ISA Security Compliance Institute (ISCI) intends on using Part 4 as a reference document to develop compliance test specifications for one or more security certifications.
Status
Work has begun on Part 4 and certain sections, such as Foundational Requirements, are scheduled to be completed in December 2008.
July 2008 Update: A ballot is out to split Part 4 into multiple parts so some of the information can be completed on and voted on more quickly.
